OAuth setup with Zitadel

[Aurel004]

Configuration Example

Let's configure mealie to work with Zitadel

Docs used:

• https://docs.mealie.io/documentation/getting-started/authentication/oidc/
• https://docs.mealie.io/documentation/getting-started/installation/backend-config/#openid-connect-oidc

1. Go to your zitadel console: https://zitadel.mydomain.com/ui/console

2. Go to Projects and create a new one if needed, mine will be server

3. Click on New
   

4. Name it Mealie and select User Agent
   

5. Select PKCE
   

6. Redirect URIs set the url of mealie and path login: https://mealie.mydomain.com/login
   Post Logout URIs set the url of mealie and path login?direct=1: https://mealie.mydomain.com/login?direct=1
   

7. Click Create and copy the ClientId provided in Notepad

8. To configure the OIDC_ADMIN_GROUP: Users that are in this group (within your IdP) will be seen as admin in Mealie. you will need to configure Roles

   • In your project (Step 2), click on General, and copy to Notepad the Resource Id shown on top
   • In your project (Step 2), click on General, and tick Assert Roles on Authentication
   • In your project (Step 2), click on Roles, New
     
   • Enter Key Admin (this will be the name used for the group name in mealie), a display name and a group (this one is used for hierarchical groups in case you create other groups)
     
   • Next, go to Authorizations, click New, search your username (and/or people you want to be admin), click Continue and select the created Role
   • Click on your newly created Mealie app in Zitadel (in your project, General), click on Token Settings and tick User roles inside ID Token to add the Admin role to the response for Mealie
   • Also tick User Info inside ID Token to give your preferred_username and email to Mealie

9. Go to your mealie docker-compose.yml file and add the following to environment:
   #SSO
OIDC_AUTH_ENABLED: true #Enable OIDC
OIDC_SIGNUP_ENABLED: false #Allow unknown users for mealie
OIDC_CONFIGURATION_URL: https://zitadel.mydomain.com/.well-known/openid-configuration
OIDC_CLIENT_ID: XXX@server #ClientId of Step 7
OIDC_AUTO_REDIRECT: false #Enable or disable auto-redirect to OIDC
OIDC_PROVIDER_NAME: Zitadel #Choose a name, it can be OAuth (default)
OIDC_REMEMBER_ME: true
OIDC_ADMIN_GROUP: Admin #The Key name in Step 8
OIDC_GROUPS_CLAIM: urn:zitadel:iam:org:project:{projectId}:roles #Replace {projectId} with the Resource Id copied in step 8, you can also put urn:zitadel:iam:org:project:roles instead but might be deprecated in the future
OIDC_USER_CLAIM: email #Default email, so your email in Zitadel must match existing email account in mealie (if OIDC_SIGNUP_ENABLED set to false), it can be changed to preferred_username

10. Recreate your container and voilà, you're done

[shaqagain]

Is this setup still possible following v2.0? I'm having trouble setting up Mealie w/ Zitadel using User Agent/SPA (because there's no secret) and using Web. Mealie itself recognizes my OIDC configuration, but Zitadel does not even see the client ID.

[shaqagain]

I realized my mistake. I was under the impression the ".well-known/openid-configuration" portion of the OIDC_CONFIGURATION_URL was a placeholder, but its not. Working as expected after setting to https://sub.domain.com/.well-known/openid-configuration

Thank you for the guide!